cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1627
Views
5
Helpful
6
Replies

UDP port 53 connections

boondocker
Level 1
Level 1

My logs are indicating udp 53 connections to my primary windows2003 domain controller located on the inside of my ASA5510 from outside sources...are these DNS connections related to the stateful connections initiated from the domain controller?

6 Replies 6

andrew.prince
Level 10
Level 10

UDP 53 is DNS, UDP is not statefull, check your firewall rules and logs, you may find what you are indeed seeing are responses to your domain controller.

Andrew

I don't have access to a firewall these days but if you do could you check something for me.

My understanding was that UDP is "pseudo-stateful" on a stateful firewall ie. it isn't truely stateful as you say because there are no flags (SYN/ACK/FIN/RST) but a stateful firewall still keeps a pseudo state by recording the src/dst IP and port numbers and using a timer ie. when it sees the initial UDP packet go out it sets a timer and if it sees the response based on IP and port numbers within the specified time it assumes it is part of the same connection.

What i can't remember is if the connection is initiated from inside to the outside and an entry is made in the state table, for UDP does the return traffic also put an entry into the state table. My understanding was that it didn't because it just used the existing entry.

So i would have said if the OP is seeing in his logs connections to his domain controller these can't be responses to outbound queries but new connections.

Apologies for the long windedness, think i might need to bone up on my firewall knowledge again :-)

Jon

Is this something I should worry about, is there anyway of blocking these replies to my primary DC?

Thanks all

Dave

Not sure it is replies to outbound connections. Does your acl on the outside interface allow DNS queries ? - could you post your acl.

Jon

Jon,

Sorry for the late reply - been busy.

You are correct - the firewall will keep track of the "connection" thru itself, using src/dst ip with src/dst port numbers - also binding them into a NAT/PAT table also used to some extent for verification of a valid session. Any connectionless protocol passing-thru the firewall will be only be closed after the timeout.

I suppose the question is - is there an acl to permit DNS queries sourced from the outside to the Domain Controller??

No worries Jon!

Andrew

Thanks for that. It's one of those things where you've seen it a thousand times but as i don't have access to a firewall i just wasn't sure.

"I suppose the question is - is there an acl to permit DNS queries sourced from the outside to the Domain Controller??"

Yes, that as my thinking as well.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: